Active Directory Replication. A basic idea of HOW it all works.

I’ve got quite a few emails from some PUG members asking details about HOW replication in a Domain Env. actually works. The following should give you all a brief understanding of how it all happens in the background, and what all components are involved in AD replication.

Active Directory replication is performed through multi-master replication and only changes are replicated. In other words, changes to the Active Directory can be made at any domain controller and only the change that is made will be replicated to all other domain controllers. The replication process is invisible to administrators and users.

Once a change has been made, the process ensures the data is replicated to domain controllers and that errors do not occur.

Change Notification

The process begins with a “change notification.” This change notification is sent to all domain controllers so they know there has been a change in the Active Directory database and that change is about to be replicated. Once the change notification has been sent, the process continues with an “update request.”

Update Request

When a domain controller needs to replicate update data, an “originating update” is established. An originating update determines the kind of change that needs to be made to the Active Directory database. There are four different kinds of originating updates—add, modify, modifyDN, and delete.

The add update adds an object to the Active Directory. For example, if you add a new shared folder, the add update replicates the information to all domain controllers. The modify update changes an attribute of an existing object.

A major feature of the replication process is Update Sequence Numbers (USNs). USNs are assigned numbers that are stored in a USN table on each domain controller. The USN table is used to determine the updates that need to occur between domain controllers. In other words, when a change occurs in the Active Directory, the domain controller where the change was made updates the USN so that all other domain controllers have an outdated USN for that attribute. When replication occurs, the USN is updated on all domain controllers.

The USN allows other domain controllers to know they have an outdated USN and that the replication update needs to be processed. Due to the use of USNs, timestamps on replication data are not necessary, although they are still maintained by the Active Directory and used in certain circumstances.

Replication Partitions in AD

Replication in an Active Directory environment functions at three major levels. The Schema, Configuration and Domain Partitions.

The schema partition contains object and attribute definitions.

The configuration partition contains information about the physical structure of the Active Directory, such as the sites and domains and where domain controllers reside in the enterprise.

The domain partition contains information about all Active Directory objects that are specific to that domain, such as users and groups, OUs, and other resources.

A single Active Directory domain is much easier to implement in terms of replication. If your environment will use multiple domains, it is important to consider how replication will occur in your environment and how global catalog servers should be placed. I’ll cover this in my next post.